Skip to content


    Only when you automise certain processes related to your Checkout Paylink or One-Page-Shop, you will need to create an API signature to use the API.

    Coding: Some (Backend)

    Find the API Secret Key of your Instance

    This and the following steps are only relevant for you, if you want to automate your Paylink or One-Page-Shop payment processes by using the API. For most cases, the functionality provided through your Checkout Paylink account is sufficient.

    You can find your API Key in your Checkout Paylink account after clicking "API & Plugins" on the left hand navigation column.

    Create your API Signature

    Get your API Signature

    echo -n "HTTP-QUERY-STRING" | openssl dgst -sha256 -hmac "API-SECRET" -binary | openssl enc -base64

    Encoding of HTTP-Query String
    The query string has to be RFC1738 encoded. This means that you will have to replace spaces by "+".

    For security reasons, when using the API, we want you to pass an API signature calculated with the API Secret of your instance.

    The API signature is HMAC encoded RFC 2104: spaces need to be represented as "+".

    The parameter name of this API signature should be ApiSignature. You can calculate the signature using all parameters except the instance parameter.

    • Build query string (e.g. model=Page&id=17)
    • Calculate binary hmac hash using your Checkout Paylink account's API Secret as key
    • Encode it with base64

    API Base Address

    The Checkout Paylink REST APIs are collected under the following base address:


    The payload data has to be RFC 3986 URL encoded and spaces will be percent encoded "%20".

    Please note that the payload data and API signature must be encoded differently: The API signature is HMAC encoded RFC2104: spaces must be represented as "+".

    objectPaylink, Transaction
    idOnly used for request types GET, PUT and DELETE where only one entity gets modified.
    instanceThe Paylink instance name.

    For POST requests, all query parameters except the instance have to be in the body.

    Please find a comprehensive list of endpoints and functionality in our API reference.

    HTTP CodeStatusMessage
    200OKEverything worked successfully!
    403ForbiddenThe API Signature is wrong
    404Not FoundThe requested endpoint does not exist

    All errors will return a JSON in the following format:


      status: "error",
      message: "An error occurred: Human readable message goes here"

    Was this helpful?

    What was your feeling about it?